When enabled this does:
This option enables the integrity subsystem, which is comprised of a number of
different components including the Integrity Measurement Architecture (IMA),
Extended Verification Module (EVM), IMA-appraisal extension, digital signature
verification extension and audit measurement log support.
We do not support secure-boot thus we do not need keyrings.
Enabling this would do:
Enable auditing infrastructure that can be used with another kernel subsystem,
such as SELinux (which requires this for logging of avc messages output). System
call auditing is include on architectures which support it.
We have no SELinux.
When enabled this addditional feature does:
Enables additional kernel features in a sake of checkpoint/restore. In
particular it adds auxiliary prctl codes to setup process text, data and heap
segment sizes, and a few additional /proc filesystem entries.
This reverts commit 78c43c2078e292ac9b53d2d6a41a47466d283914.
Unfortunately we must revert the Kernel upgrade as there are two problematic
issues. One which is the break of ABI functionality with parted [1] and second
the internal cryptop API [2] which removed required literals for the build of
Intel QAT acceleration.
In the two weeks running 5.8 we still learned a lot - we experienced a
performance improvement of ~30% when doing NAT @ > 10GBit/s and also utilizing
the build in updated drivers for Intel NICs and WireGuard.
We are looking forward to the release of this years LTS kernel and we hope to
ship this in the final 1.3 release.
1: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.8.y&id=692d062655
2: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.5.y&id=d63007eb95
... Kernel is appended a + to the version string when there are locally
modified files - which we have. This is prevented by the existence of the
.scmversion file.
This reverts commit 8b520c63ac705aa2c35579ebfbc053b5b6a1bccb.
CI tests also use parallel ATA interfaces in QAEmu - we probably should keep it
for "poor" virtualisation.
Note: Intel does not provide a compatible QAT version. There is a custom patch
which make QAT compile for the specified Kernel version. This patch will change
the source to a non backwards-compatible version - this is fine as we run 5.8
anyways.
The logic of generating the required firmware file name has been moved from
build-linux-firmware.sh directly into list-required-firmware.py which makes
much more sense. That move was made by Daniil Baturin - I only did the
integration part. Thanks!
